[#675 state:resolved] dev-user-changer does not escape email addresses

tslocke · Mar 18, 2010 · 9e100f1 · 9e100f1
1 parent a54349e
commit 9e100f1
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/hobo/taglibs/rapid_core.dryml b/hobo/taglibs/rapid_core.dryml
@@ -614,7 +614,7 @@ The context should be a user object. If `this == current_user` the "you" form is
   <set user="&Hobo::User.default_user_model"/>
   <select-menu if="&user && RAILS_ENV == 'development'"
                first-option="#{ht('hobo.dev_user_changer.guest', {:default=>'Guest'})}" options="&user.all(:limit => 30).*.login"
-               onchange="location.href = '#{dev_support_path}/set_current_user?login=' + this.options[this.selectedIndex].value"
+               onchange="location.href = '#{dev_support_path}/set_current_user?login=' + encodeURIComponent(this.options[this.selectedIndex].value)"
                selected="#{current_user.login}"
                class="dev-user-changer"
                merge-attrs/>